Most modern day digital devices encrypt data with a user-supplied password. This strategy keeps the device and the data it holds under a lock. Only the person with knowledge of the password can readily access the device. In order to provide strong security, this password has to be of sufficient length and complexity. Otherwise, an adversary can guess it. For example, a common practice is to use a simple numerical pin (typically 4-digit). Such a pin is a weak security mechanism since an adversary has to only guess a limited number of combinations (10000 for a 4-digit pin). Requiring a long alphanumeric password unfortunately has a user experience problem. When a user wishes to access the device, he or she has to enter this password (typically either through a touch screen based software keyboard or a physical keyboard on the device). Entering this password is cumbersome, error prone and often causes delays. Thus there is a tradeoff between usability and security.
It is a practice on some devices to simply use a small numerical pin (e.g., 4-digit). Such a pin provides very weak security since an adversary has to only guess a limited number of combinations (10000 for a 4-digit pin). Furthermore, someone with physical access to the device can perform a brute force search quickly—his speed is only limited by how many PIN-cracking CPUs he can use. It is therefore recommended that a password not simply be a numerical password but also include alphabet characters as well as special characters (e.g., !@#$%^, etc.). It's also recommended that there is a rate limit on password attempts, but this isn't always feasible, such as an entirely-on-phone cryptosystem. For example, for an entirely-on-phone system, attempts to rate limit password entry may be overcome by an attacker with physical access to the device, for example by modifying the device to bypass the password and/or password entry rate limiting requirement and/or by offloading device data to a computer and using a brute force attack to gain access in spite of the rate limiting requirement. Drawing from such a diverse set of characters means that every single character of the password can come from a large number of possibilities. For example, using all characters on a typical QWERTY keyboard results in 90 different possible characters. The second recommendation is that a password be at least 8 characters long. This increases the number of guessable combinations to over 4000-trillion combinations. A numerical pin provides a significantly less secure password than a long password comprised of all alphanumerical characters.